Links are alleged between ransomware and extortion gangs, and a warning to app developers.
Welcome to Cyber Security Today. Today is Monday, April 18, 2022. I’m Howard Solomon, contributing cybersecurity reporter for ITWorldCanada.com.
Organizations receiving a ransomware or extortion threat faces a stark choice: pay to regain access to its data, or not pay and incur the wrath of customers and employees — plus the risk of reputational damage. However, paying must come with a promise: the organization will no longer be hacked, and the scammers will not retain or disclose any stolen data. The question is, can you trust scammers? Not if it’s the Karakurt, Conti or Diavol ransomware gangs. This is the argument put forward in a new report from researchers at Tetra Defense, a division of Arctic Wolf, and Chainalysis. Karakurt is an extortion gang that steals data. Unlike a ransomware gang, it does not encrypt a victim organization’s data. Karakurt is believed to have hit 55 organizations in the United States and eight in Canada. How? Researchers say there is evidence that those behind the Karakurt gang are using Conti gang resources, including network access to previous Conti victims. By an odd coincidence, a company affected by Karakurt had just fallen victim to Conti, the report says. They also believe Diavol ransomware is deployed by the same people behind Conti and Karkurt. The researchers’ conclusion: Think carefully before paying any data ransom demand. It may not prevent you from being hit again.
Application developers using certain versions of the Heroku Dashboard as well as the Travis CI Continuous Integration Application Testing Service are warned that their projects may have been copied and compromised. In a blog post on Friday, GitHub said it had come to this conclusion after investigating unauthorized access to GitHub’s NPM production framework. NPM hosts open source projects. Access was obtained via a compromised AWS API key. The key is believed to have been obtained when an attacker stole OAuth tokens to access software using Heroku and Travis-CI. Projects stored on NPM and GitHub.com may be affected. Developers using Heroku and Travis CI should scour their audit logs and user account security logs for suspicious behavior.
The scammers have found a new way to monetize stolen corporate data: they offer to resell it to a company’s competitors. According to the Bleeping Computer news site, a website called Industrial Spy has been created where companies can buy stolen trade secrets, manufacturing schematics, accounting reports and customer databases. Stolen “Premium” data packages cost millions of dollars. Lower level data can be purchased as individual files for just $2.
As I have mentioned several times, scammers use text messages as well as emails to deceive people. One of the last ways is to spoof the victim’s phone number in a text message, so it looks like they’re getting a message on their own. This prevents the victim from ignoring an SMS from an unknown phone number. According to the United States Federal Communications Commission, victims receive messages that appear to be from their mobile operator thanking them for paying their bill and offering them a gift as a thank you. All they have to do is click on a link. This, of course, leads to downloading malware or adding the victim’s phone number to lists that other scammers can use. If you receive an SMS like this, report it to your operator, the police and the communications regulator in your country.
To finish, it’s tax due day in the United States. Scammers are also paying attention, sending phishing emails and text messages to consumers about emails or text messages claiming to be from the Internal Revenue Service. The IRS does not use email, text, or social media to discuss personal tax matters, such as those involving bills or refunds. Same in Canada. In Canada, this year’s tax deadline is May 2 for individuals. It is also the same day for the self-employed who owe money. Otherwise, the deadline for the self-employed is June 15. Revenue Canada does not send text messages or emails requesting personal information.
That’s it for this edition. Remember that links to podcast story details are in the text version on ITWorldCanada.com.
You can follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.